Firefox 118 Addresses Multiple Security Vulnerabilities
Released last week, Firefox 118 arrives with the most anticipated built-in translation feature, which was initially planned for Firefox 117. This new feature allows users to translate website content from one language to another.
Soon after the release, Firefox 118 addressed multiple security vulnerabilities reported by external researchers on September 26, 2023. Among these, six were described as high-severity vulnerabilities by Mozilla. Other patched vulnerabilities include two moderate and one low-severity bug.
Six High-Severity Vulnerabilities Fixed
The FilterNodeD2D1 may receive malicious data from a compromised content process, causing an out-of-bounds write and a potentially exploitable crash in a privileged process. Firefox is affected by this problem on Windows only. There is no impact on other operating systems.
An out-of-bounds write caused by malicious data in a PathRecording from a compromised content process may have caused a crash in a privileged process that might have been exploited.
Within canvas rendering, a compromised content process might have induced an unexpected alteration in a surface, potentially resulting in a memory leak within a privileged process. This memory leakage could be exploited for a sandbox escape if the specific data required for such an escape was exposed.
While undergoing Ion compilation, a Garbage Collection event might have led to a use-after-free scenario, granting an attacker the ability to write two NUL bytes and potentially trigger a crash that could be exploited.
Within the Ion Engine, the mutation of a hashtable could have occurred while a live interior reference was still in place, potentially resulting in a use-after-free situation and a crash that could be exploited.
Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2 contained memory safety vulnerabilities. Some of these vulnerabilities exhibited signs of memory corruption, and it is conceivable that, with sufficient effort, certain ones could have been leveraged to execute arbitrary code.
Critical Vulnerability Fixed in Firefox 118.0.1
Following the above events, Mozilla announced the patches for the critical vulnerability, CVE-2023-5217, on September 28, 2023. This flaw was discovered in the libvpx library in which specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process.
It is crucial to update the Firefox web browser to the latest version to avoid the potential risk of these vulnerabilities. The new Firefox 118 updates should already be accessible in your distribution’s stable repositories, so it is advised to maintain a regular update schedule to keep your system secure.
The source for this story is available at Mozilla Foundation Security Advisories.